On September 9th, my blog post on the "Here You Have" worm mentioned that the spread mechanisms of the worm were narrowly focused on a few targets that it hit very hard. Because of this, I've been quite surprised to see claims such as this USA Today article, which claims:
Viral messages carrying an innocuous-looking "Here you have" or "Just for you" subject line at one point Thursday accounted for an astounding 14.2% of spam messages moving across the Internet, says Nilesh Bhandari, Cisco product manager.
and then goes on to do the math for us. The article says there are 300 billion emails per day, so "Here You Have" must have sent 42 billion emails. They then show a chart, for which they provide no source attribution, that demonstrates that there was only one thirty minute period where whoever their source for the chart (presumably Cisco?) claimed the spam had reached 14.2%.
If we assume briefly that there really are 300 billion emails per day, a back of the envelope calculation of this chart would indicate that there were actually closer to 8 billion, rather than 42 billion, emails sent by "Here You Have". (You can clearly see by the USA Today's own chart that in most time periods for the day the percentage was closer to "0%" than to "14%"). 14.2% occurred in only one 30 minute sampling, which, if we assume an equal distribution of the 300 billion across the day, would mean 887 million emails in that thirty minute window.
BUT WAIT! Is it accurate to project the sampling from Cisco's Ironport on "the global spam" picture? Absolutely not! Take for a moment my personal anecdotal evidence. I stand by my earlier statement that the UAB Spam Data Mine on September 9th received 17 copies of the "Here You Have" emails, 13 of which came from senders in a single large financial institution. Our calculation of 0.00002% is perhaps closer to the average "global spam" recipients reality.
In my personal spam collection, including many "live" personal email addresses, I received 10,134 spam email messages on September 9th, of which ZERO were from the "Here You Have" worm. (And yes, I use NO FORM of spam filtering on those email addresses.) I also received zero copies in my university email accounts.
Our reality, and yours, unless your primary email account is in a very large corporation running Outlook, is probably closer to what was described by Microsoft. (Thanks to Robert McMillan of IDG News for pointing this out in his article Here You Have Worm Caused Brief Havoc.)
In this Technet Blog post: "Update on the Here You Have Worm: Visal-B" the Microsoft lab says that in normal spam monitoring, 90% of their reports come from "consumer" email users (protected and reported through Microsoft Security Essentials), while very few reports come from their "corporate" email users (protected and reported through Forefront Client Security).
Microsoft bloggers Jimmy Kuo & Holly Stewart go on to say that while they have sensors deployed worldwide, 98% of their reports for this worm came from US-based reporters. Cisco's 2010 MidYear Security Report (36 page PDF) says that 8.98% of global spam originates in the United States.
When Cisco Ironport reports their numbers, we have to remember that their appliance is overwhelmingly present in corporate email accounts. I know the Ironport guys, believe they have a great product, and believe they reported accurately what they saw on the corporate networks, but also believe that a few media sources have misinterpreted these numbers to turn Here You Have into the Global Armageddon of Spam, which it clearly was not. Except for some US-based corporate mail servers.
But was that the whole point? In order to learn more we need to identify some "patient zero" spam recipients. Who was THE FIRST PERSON at ABC, NASA, Google, JP Morgan Chase, etc, to receive the spam. When we learn more about who is behind the attack, it looks like targeting "big corporations" may have been the whole point of the worm!
The more interesting angle to me is the revelations from Joe Stewart, the International Grandmaster of Malware Analysis at SecureWorks in his blog post Here You Have Worm and e-Jihad Connection. I asked Heather McCalley, the Criminal Intelligence Supervisor in the UAB Computer Forensics Research Laboratory to summarize the details for us:
Joe Stewart had previously identified that the malware contained a string "iraq_resistance" and that a previous version of the same malware use an email address "email@example.com".
A fellow researcher at Internet Identity provided us a link to a YouTube video that claimed to be from the author of the worm. When we first saw the video early yesterday morning it had been viewed 128 times. Heather took a screen shot showing 302 views yesterday morning. This morning there have been 3,803 views of the video.
My nickname is Iraq Resistance. Listen to me about the reasons behind the 9 september virus that affected NASA, Coca-Cola, Google, and most American ?gains?. What I wanted to say is that United States does not have the right to invade our people and steal our oil under the name of nuclear weapons. Have you seen any there? No evidence, even about any project. How easy you kill and destroy. Second, about the Christian Terry Jones what he tried to do on the same day this worm spread is not even fair. I know that not all Christians are similar and some newspapers wrote that I am a terrorist hacker because of the computer virus and Mr. Terry Jones is not and he is not terrorist because he infected all muslims' behavior. I think America, come on! Be fair. Where is your freedom which must end when it reaches another person's freedom. And you say you modern educated people. I don't know there is another one and really I don't like smashing and as you know there were no computers smashed as you know by the analysis report. I could have smashed all those I infected but I wouldn't and don't use the word terrorist please. I hope that all people understand I am not a negative person. Thanks for publishing.
(click for video)
So, shall we take Mr. IqZiad at his word? Context is everything, and in this case, we have ample evidence that iraq_resistance, the self-proclaimed "Commander of the Brigades of Tariq bin Ziad", desires to harm America.
Here's a post that he made on the website "vbhacker.net" where he has been active since 2006 using the username "iraq_resistance":
فيروس طارق بن زياد يعصف بأمريكا
قام قائد كتائب طارق بن زياد بشن هجوم فيروس على شركات امريكية وذلك يوم الخميس واصاب عدد هائل من الكمبيوترات ما ادى الى ان الشركات توقف خادمات البريد حتى تسيطر على المشكلة.
وقد اوقفت شركة كومكاست بعض خادماتها وشركة قوقل وشركة كوكاكولا ووكالة ناسا وذلك في ضرف ساعتين مساء الخميس الموافق 9-9-2010
هذا تقرير من شركة مايكروسوفت
وهذا تقرير الدايلي ميل البريطانية
وقد اقسم قائد كتائب طارق بن زياد على مواصلة الهجوم في وقت لاحق انتقاما لحملتهم على الاسلام
الرجاء نشر هذا الانجاز والدعاء لكتائب طارق بن زياد بالتوفيق والحفظ
The post takes credit for the attack, links to two news stories about the attack, and then closes in the last two lines by saying:
As the Commander of the Brigades of the Tarik bin Ziad, I swear the attacks will continue in retaliation for their attacks against Islam.
Please publish this achievement and pray for the success and protection of al-Tarik bin Ziad.
Well, Mr. IQZiad, I've published your achievement, but I am certainly praying for a different outcome than the one you request.
The user iraq_resistance has been a member of vbhack.net since 2006. When we looked into the board this morning there were 619 active registered users logged in to the site, as well as 17,032 "guests" reading public messages on the board. The board, which is hosted on LiquidWeb in Chicago, is one of the 22,000 most popular on the Internet according to NetCraft, and has many non-offensive topics, including large popular forums about the World Cup and Islam.
Despite his long membership, Iraq_resistance has only created three discussion threads. The most popular, which was read 4,765 times and has 163 replies, was this message from May of 2008, entitled: مطلوب شباب للمشاركة في حملة الجهاد الالكتروني
which translates as: "Wanted: Young people to participate in Electronic Jihad".
السلام عليكم اخواني
تم تأسيس مجموعة بإسم كتائب طارق بن زياد وهدف هذه المجموعة اختراق اجهزة امريكية تابعة للجيش الامريكي
وقد تطلب زيادة العدد حتى نكون اكثر فعالية .. لذلك نطرح شروط الانتساب الى هذه المجموعة الجهادية الالكترونية:
1 - أن يكون هدف المشترك الجهاد الالكتروني وأن يقسم أنه لن يستخدم ما يتعلمه مع المجموعة ضد هدف آخر.
2 - الإخلاص في العمل واحترام أعضاء المجموعة وبعد توسعها يكون للاقدمية والاكثر فعالية مرتبة القيادة على مجموعات تابعة للمجموعة الرئيسية .
3 - يكون اللقاء والمحادثة على الياهو مسنجر والامسن .
4 - اي مشاكل مع الاعضاء او القيادات باب الشكوى مفتوح للقائد العام للكتائب .
5 - مستوى المجاهد غير مهم لانه سيتعلم مع المجموعة كما ان الطريقة ليست صعبة وهي مؤثرة فعلا.
6 - اتباع نصائح القائد العام والاخلاص الكامل بالعمل لوجه الله .
7 - تناسي الاحقاد بين اعضاء المجموعة وروح المنافسة تكون ضد العدو وليس ضد الاخوة .
8 - القسم في عدم استخدام ما يتعلمه في هدف اخر خارج المجموعة سيكون على المايك ويسمعه القائد العام .
نسأل الله ان يوفقنا ويسدد خطانا واياكم .. ونتمنى من الاخوة الاستجابة للانضمام لهذه الفرصة المباركة
كما نشكر ادارة المنتدى لاتاحة الفرصة لاعلان الحملة وطلب والانتساب وسيتم موافاتكم اولا باول بالنتائج باذن الله.
للانضمام الرجاء اضافة معرف ياهو
بانتظار المجاهدين لقبول اضافتكم
اخوكم القائد العام لكتائب طارق بن زياد
Which, according to Google translate, reads:
Peace be upon you my brothers
Group was established in the name of al-Tariq bin Ziyad and goal of this group infiltrate a U.S. subsidiary of the U.S. Army
The increasing number of requests so we'll be more effective .. Therefore, we present the conditions for affiliation to these jihadist group E:
1 - to be the common goal of electronic jihad and to apportion that it will use what it learns with the group against the other goal.
2 - dedication to work and respect for members of the group and after the expansion is the most seniority and rank the effectiveness of the leadership groups of the main group.
3 - be meeting and chatting on Yahoo Messenger, Alamson.
4 - any problems with members or leaders open the door of the complaint to the General Commander of the Brigade.
5 - the level of fighting is not important because he will learn with the group and that the way in which it is not really impressive.
6 - follow the advice of the Commander in Chief and dedication to working for God's sake.
7 - forget the grudges between the members of the group and the spirit of competition which is against the enemy and not against the brothers.
8 - Section in the non-use of learning the target outside the group will be on the mic and hear the commander in chief.
We ask God to help us and guide our steps and you .. And good response from the brothers to join this blessed opportunity
We also thank the management of the Forum for the opportunity to announce the campaign and asked the association and will provide you with first hand the results, God willing.
Please add to join the Yahoo ID
Waiting for the Mujahideen to accept Adavckm
Brother Commander General of the Brigades, Tariq ibn Ziyad
Tariq ibn Ziyad was the name of the Muslim servant who was appointed a General and given troops to conquer the Iberian peninsula in the year 711. You can read more about him in his Wikipedia article, or for a more Islam-friendly version of events, see HaqIslam. Tariq is the invader who famously burned his ships after landing, convinced of his victory by a vision of the Prophet promising him success and that he would personally kill King Roderick.
The same "call for recruits" was posted in many other places, including:
http://www.amman-dj.com/vb/a-t68089/ (by user "iraq_resistance", active since December 2006, hosted on SoftLayer in the USA.)
http://www.m0dy.net/vb/t104142.html (by user "iraq_resistance", active since November 2005, hosted on SoftLayer in the USA.)
http://vbnaajm.naajm.com/showthread.php?t=44269 (by user "iraq_resistance", active since July 2004, hosted on BlueHost in the USA.)
http://www.arabteam2000-forum.com/index.php?showuser=74343 (user "iraq_resistance", active since March 2006, hosted on XLHost in the USA.)
In addition there are malware author recruiting ads, such as this one:
The call is for assistance from those who can create computer viruses to strike the enemy. Malware coders who want to help in the cause were instructed (in Arabic):
To subscribe send a message to
And please send a message to email the following to configure a lethal army of God Almighty in the future
So despite the "I'm not a terrorist", YouTube video, we have a mass-mailing worm that disproportionately impacted US-based businesses, successfully planting backdoor code on many of the infected machines, planted by a person who has been calling himself "Iraq_resistance" since 2006, and who has been recruiting for "electronic Jihad" participants since 2008. This person boasted about his attacks, and has promised there will be others, and as far back as March 6, 2009, was specifically inviting malware authors to help him create "a lethal army of God".
Was there a lot of Hype in the coverage of this malware? Yes. But perhaps the hype is deserving a deeper response than a shrug.
Our friend Bob McMillan has shared an interesting Series of Emails with the worm author.